Roland,
While I understand that the definition has nothing to do with IT
Security there is no question that many folks use the phrase to
summarize a layered IT security model.
Edge routers with ACLs to filter white noise go to edge L3/4 firewalls
to filter their layer go to load balancers to terminate SSL (not really
security I know) which go to L7 firewalls to inspect HTTP just to get to
the web server. Then you have the whole layered DMZs for the
WEBs/APPs/DBs/inside etc. We employ "defense in depth" and everyone is
familiar with the concept even if they are using the phrase incorrectly.
And our wonderful federal auditors expect it and call it the same thing.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 12/07/2011 09:43 PM, Dobbins, Roland wrote:
On Dec 8, 2011, at 1:36 AM, Leo Bicknell wrote:
I don't think you're looking at defense in depth in the right way,
Actually, it sometimes seems as if nobody in the industry understands what
'defense in depth' really means, heh.
'Defense in depth' is a military term of art which equates to 'trading space
for time in order to facilitate attrition of enemy forces'. It does not have
any real relevance to infosec/opsec; unfortunately, its original meaning has
been corrupted and so it is widely (and incorrectly) used in place of the more
appropriate 'combined arms approach' or 'jointness' or 'mutual support' or
'layered defense' metaphors. Hannibal's tactics at Cannae are generally cited
as the canonical (pardon the pun) example of actual military defense in depth.
;>
-----------------------------------------------------------------------
Roland Dobbins<rdobb...@arbor.net> //<http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
